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Abstract 

Distance bounding protocols are security countermeasures designed to thwart 
relay attacks. Such attacks consist in relaying messages exchanged between 
two parties, making them believe they communicate directly with each other. 
Although distance bounding protocols have existed since the early nineties, 
this research topic resurrected with the deployment of contactless systems, 
against which relay attacks are particularly impactful. Given the impressive 
number of distance bounding protocols that are designed every year, it be¬ 
comes urgent to provide researchers and engineers with a methodology to 
fairly compare the protocols in spite of their various properties. This paper 
introduces such a methodology based on concepts from the decision making 
held. The methodology allows for a multi-criteria comparison of distance 
bounding protocols, thereby identifying the most appropriate protocols once 
the context is provided. As a side effect, this paper clearly identihes the 
protocols that should no longer be considered, regardless of the considered 
scenario. 
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1. Introduction 


Distance bounding protocols are the most popular countermeasures against 
relay attacks. In a relay attack on an authentication protocol, an adversary 
aims to convince the veriher that he directly communicates with the genuine 
prover, while the adversary is actually in the middle and relays the mes¬ 
sages exchanged between the two parties. Typically, a relay attack makes 
the veriher believe the prover is located within his neighborhood while he is 
far away. 

1.1. Relay attacks 

Conway [15] introduced in 1976 the concept of a relay attack through the 
Chess Grandmaster problem where a little girl is challenged to defeat a Chess 
Grandmaster in correspondence chess. The solution suggested by Conway to 
allow the little girl to be successful is to perform a relay attack between two 
Chess Grandmasters: the attack consequently consists in relaying the moves 
received between the two Chess Grandmasters, which results for the little 
girl in either a won or two draws. 

Relay attacks also apply to authentication protocols as originally pro¬ 
posed by Desmedt, Goutier, and Bengio at Grypto 87 [17], whose work was 
later extended by Brassard and Quisquater in [7]. In their papers, the au¬ 
thors refuted Shamir’s claims about the Fiat-Shamir protocol [18] when he 
says that the protocol is secure even when being executed one million times 
in a Maha-owned store [21]. Desmedt et al. indeed raised that a relay at¬ 
tack is still possible, and they consequently named the suggested relay attack 
mafia fraud. Since then, both terms, relay attack and maha fraud, are used 
interchangeably in the literature. Note however that Avoine et al. [1] dis¬ 
tinguish maha fraud from relay attacks by considering that the adversary 
cannot modify the forwarded messages in a relay attack. This distinction 
allows for representing an adversary who does not know the specihcations of 
the considered protocol. 

Although maha fraud was suggested late in the eighties, practical imple¬ 
mentations of this type of fraud appeared much later. Maha fraud actually 
became a real threat with the ubiquity of contactless technologies. For exam¬ 
ple, practical attacks were developed against Radio Frequency IDentihcation 
(RFID) [22, 23], Near Field Gommunication (NFG) [20], and Passive Key¬ 
less Entry and Start Systems (PKES) in modern cars [19]. For example. 
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off-the-shelves devices to perform relay attacks against PKES can be bought 
on Internet [12], 

1.2. Distance bounding protocols 

Mafia fraud does not rely on exploiting security protocol vulnerabilities. 
Conventional security mechanisms are thus ineffective against it. Based on 
an idea from Beth and Desmedt [8], Brands and Chaum suggested a coun¬ 
termeasure to maha fraud that consists in measuring the Round-Trip-Time 
(RTT) of 1-bit messages exchanged between the parties, using a dedicated 
communication channel [10]. In their solution, the veriher measures the 
round-trip time tm between the moment he sent a challenge and the moment 
he receives the response from the prover. The veriher can consequently esti¬ 
mate a tight upper-bound on the distance between the prover and the veriher 
by computing d = c ■ {tm — td)/2, where c is the speed of light and t^ is the 
delay induced by the prover to compute the response, given the challenge. 

Note that distance bounding protocols do not detect relay attacks in a 
strict sense. Instead, they detect unexpected delays, and conclude in such 
a case that a maha fraud attack might have occurred. As a consequence, 
neither the communication channel, nor the calculation should introduce 
hexible timing during the protocol execution, since that could be exploited 
by an adversary. For example, requiring the prover to perform heavy compu¬ 
tations in passive contactless systems may allow an adversary to signihcantly 
reduce td by overclocking the prover’s device, which in turn may allow the 
adversary to increase tm without making d above the expected upper-bound. 
Since Desmedt et a/.’s seminal work [8], a conservative assumption for de¬ 
signing distance bounding protocols consists in considering minimally sized 
messages (typically 1-bit messages) and lightweight computations during the 
time-measurement phase. 

1.3. Protocol evaluation 

Avoine et al. introduced in [1] a Framework for analyzing distance bound¬ 
ing protocols. This widely used Framework dehnes four types of fraud that 
should be considered in the security evaluation of distance bounding proto¬ 
cols. For the sake of accuracy, the fraud dehnitions from [1] are provided 
in-extenso below. 

• Given a distance bounding protocol, an impersonation fraud attack is 
an attack where a lonely prover purports to be another one. 
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• A mafia fraud attack is an attack where an adversary defeats a dis¬ 
tance bonnding protocol nsing a man-in-the-middle (MITM) between 
the reader and an honest tag located ontside the neighborhood. 

• Given a distance bonnding protocol, a distance fraud attack is an attack 
where a dishonest and lonely prover pnrports to be in the neighborhood 
of the veriher. 

• A terrorist fraud attack is an attack where an adversary defeats a dis¬ 
tance bonnding protocol nsing a man-in-the-middle (MITM) between 
the reader and a dishonest tag located ontside of the neighborhood, 
snch that the latter actively helps the adversary to maximize her at¬ 
tack snccess probability, withont giving to her any advantage for fnture 
attacks. 

The secnrity evalnation of a distance bonnding protocol then consists in 
compnting the resistance of the protocol for every type of frand, which is 
done by compnting the probability for an adversary to snccessfnlly perform 
the considered frand. 

Since Brands and Chanm’s breakthrongh, many distance-bonnding pro¬ 
tocols have been proposed^, which deliver improvements in terms of secnrity 
(see Section 2). These proposals also introdnce new reqnirements on the 
protocols, e.g., to be usable on noisy channels, and properties, e.g., to be 
more computationally efficient or to require less memory. Given the var¬ 
ious requirements and properties, a fair methodology to compare distance 
bounding protocols is strongly needed. 

1 . 4 . Contribution 

This paper introduces a methodology based on concepts from the decision 
making held to perform a multi-criteria comparison of distance bounding 
protocols. The methodology identihes the most desirable protocols, given 
a set of required properties, and disqualihes protocols that are dominated 
by better solutions whatever the considered properties. Even though the 
methodology can be understood without difficulty, applying it on a large set 
of distance bounding protocols may be time-consuming. As a consequence, 
an open-source computer tool was released in order to easily include into the 
comparison future distance bounding protocols and new criteria. 


^http://www.avoine.net/rfid/ 
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Table 1: List of protocols and their acronyms. 


Authors 

Reference 

Year 

Acronym 

Brands and Chaum 

[10] 

1993 

BC 

Capkun, Buttyan,and Hubaux 

[13] 

2003 

MAD 

Bussard and Bagga 

[11] 

2005 

BB 

Hancke and Kuhn 

[24] 

2005 

HK 

Munilla and Peinado 

[28] 

2006 

MP 

Kim, Avoine, Koeune, Standaert, and Pereira 

[27] 

2008 

Swiss-Knife 

Avoine and Tchamkerten 

[5] 

2009 

Tree-based 

Trujillo-Rasua, Martin, and Avoine 

[33] 

2010 

Poulidor 

Rasmussen and Capkun 

[29] 

2010 

RC 

Yum, Kim, Hong and Lee 

[34] 

2010 

YKHL 

Kim and Avoine 

[26] 

2011 

KA 

Boureanu, Mitrokotsa, and Vaudenay 

[9] 

2013 

SKI 

Trujillo-Rasua, Martin, and Avoine 

[31] 

2014 

TMA 


2. Background 

Distance bounding protocols are authentication protocols that, in addi¬ 
tion, compute an upper bound on the distance between the prover and the 
veriher. Since we focus on the distance bounding properties of such proto¬ 
cols, we ignore any such protocol that does not even achieve authentication, 
e.g., due to impersonation attacks or key-recovery attacks [30]. The consid¬ 
ered protocols are briefly introduced and classihed according to their main 
features, which are the features that occur most frequently in literature and 
that should be taken into account to compare the protocols. The protocols 
are listed in Table 1. 

2 .1. Compared protocols 

2.1.1. Resistance to mafia and distance fraud. 

The earliest distance bounding protocol, introduced by Brands and Chaum 
in 1993 [10], consists of an initial commitment phase, followed by n rounds 
where the veriher sends a single-bit challenge and receives a single-bit re¬ 
sponse from the prover. The protocol is then completed with a hnal phase 
where the commitment is opened and a signature of the exchanged messages 
is provided by the prover. The phase during which the round trip time (RTT) 
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is measured is known as being the fast phase while the other ones are known 
as the slow phases. The BC protocol, provided in Algorithm 1, reaches the 
optimal security bound (1/2)"' against both maha and distance fraud, where 
n is the number of rounds^. The authors, however, left as an open problem 
the design of a distance-bounding protocol that resists to terrorist fraud as 
well. 

Algorithm 1: Brands and Chaum’s Protocol 


Verifier 

(prover’s public key 

K,) 


Prover 

(prover’s private key 
Ks) 


Commit(mi11 ... | \mn) 


mi Er { 0 , 1 } 


begin of fast phase 

Pick a random bit Cj - - -?■ 

^- - - r* = m* © Ci 

end of fast phase 


Open(Commit), Sign^f (ci | |ri 11 ...) 

^- 


Check Vi and the 
RTTs 
Verify Sign^^^ 


2.1.2. Resistance to terrorist fraud. 

The challenge of designing a protocol resistant to terrorist fraud was 
taken up later in 2005 by Bussard and Bagga [11], who proposed a protocol 
similar in design to the BC protocol. In addition to commitment and sig¬ 
nature schemes, the BB protocol uses a (2, 2)-secret sharing scheme aimed 
at defeating terrorist fraud. However, Avoine, Lauradoux, and Martin [4] 


^For every distance bounding protocol with a single fast phase consisting of n rounds 
of 1-bit exchanges, an adversary who answers randomly during the fast phase and relays 
all the other messages succeeds with probability (1/2)" [1]. 
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demonstrated that a (2, 2)-secret sharing scheme is insufficient to thwart ter¬ 
rorist fraud: a (3, 3)-secret sharing scheme should be used instead. 

Later on, in 2008, a hrst distance-bounding protocol resistant to some 
extent to terrorist fraud was suggested by Kim et al. [27]. This protocol 
was named the Swiss-knife distance-bounding protocol - in reference to the 
multi-tool Swiss army knife - due to its ability to deal with maha, distance, 
and terrorist fraud at the same time. Nevertheless, its resistance value of 
(3/4)"' to both maha and terrorist fraud falls far beyond the optimal security 
bound (1/2)". 

More recently, in 2013, the SKI family of protocols was designed by Boure- 
anu, Mitrokotsa, and Vaudenay [9] to counter terrorist fraud. The SKI pro¬ 
tocols do not perform better than existing protocols, but they beneht from 
the availability of security proofs. 

2.1.3. Final slow phase and lightweight cryptographic operations. 

The boom of RFID technology in the early 21st century, impulsed by Wal- 
mart’s^ announcement of tagging pallets and cases of goods with RFID tags, 
motivated Hancke and Kuhn to design the hrst distance-bounding protocol 
for resource-constrained devices [24]. To do so, they dropped the objective of 
making the protocol secure against terrorist fraud, and focused on eliminating 
both the hnal slow phase and the need of expensive cryptographic primitives, 
such as commitment and signing. The drawback of the HK protocol is its 
low resistance to both distance and maha fraud, which is (3/4)" [24, 33]. 

Inspired by the strengths and weaknesses of Hancke and Kuhn’s proposal, 
several other distance-bounding protocols were proposed [5, 28, 26, 33, 31, 
34]. All of them aim at improving the security to both maha fraud and 
distance fraud, while keeping the simple design of the HK protocol to make 
them suitable for low-cost devices. The protocols proposed in [34, 31] also aim 
extra features such as mutual authentication and noise resiliency respectively. 

2 . 1 . 4 . Memory. 

Among the protocols inspired by the HK protocol, the tree-based proto¬ 
col proposed by Avoine and Tchamkerten [5] achieves the best asymptotic 
security to maha and distance fraud. Unfortunately, the tree-based protocol 
requires an exponential amount of memory w.r.t. the number of rounds of 


•^Walmart is the largest retailer in the world. 
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the fast phase. To mitigate this problem, the authors [5] suggest a trade-off 
between memory requirement and security by parameterizing the depth of 
the tree. 

Another approach by Trujillo-Rasua, Martin, and Avoine [33] consists in 
using a graph instead of a tree. This protocol, named Poulidor, requires a 
linear memory instead of an exponential one, but degrades the resistance 
to maha and distance fraud in comparison to the tree-based protocol. An 
additional issue is that the analysis of Poulidor is complex [32] and only 
conservative bounds on the resistance to the various types of fraud have 
been provided. 

To increase the resistance to maha and distance fraud without signif¬ 
icantly increasing the memory requirement, Kim and Avoine [26] proceed 
differently and suggest a trade-off between distance and maha fraud resis¬ 
tance, which can be adapted to any given scenario. 

2.1.5. Single-bit exchanges. 

Based on the HK protocol, Munilla and Peinado introduced a distance- 
bounding protocol [28] where three-state challenges are used instead of binary 
challenges. This idea was later improved and generalized by MUSE [2], which 
assumes a multiple-bit channel during the fast phase. Actually, MUSE is a 
technique (not a protocol per se) that transforms any single-bit challenge 
protocol into a multiple-bit challenge protocol. Empirical results in [2] sug¬ 
gest that a MUSE transformation achieves better security properties than 
the single-bit challenge counterpart. For instance, the resistance of the BC 
protocol [10] to maha fraud is (1/2)"', while its MUSE transformation with 
a 2-bit channel achieves (1/4)". In both protocols, n denotes the number 
of rounds during the fast phase, which means that the security is measured 
in terms of number of rounds. However, considering the number of bits 
exchanged during the fast phase, denoted e, the security of both protocols 
becomes equal to (1/2)*^. This illustrates the difficulty in comparing protocols 
that require diherent properties concerning the channels. 

2.2. Protocol evaluation 

To the best of our knowledge, Kim et al. [27] were the hrst authors com¬ 
paring their protocol against previously proposed distance bounding proto¬ 
cols. They used a tabular form and evaluated eight different protocols in 
terms of maha and terrorist fraud resistance, number of cryptographic oper¬ 
ations to be performed by the prover, noise resiliency of the protocol, privacy 


preservation, and mutual authentication. In the comparisons published later 
on, the last three properties are generally not considered, as done for example 
in [9]. It is worth noting that the mentioned criteria are equally important 
and cannot be ranked: this implies that protocols can be compared according 
to one criterion at a time only. Note also that the resistance to attacks is 
generally evaluated asymptotically, i.e., when the number of rounds tends to 
inhnity. However, a protocol might be asymptotically better than another 
protocol, while it is worse for some small number of rounds. 

Trujillo-Rasua et al. [33, 31] suggested a significantly different technique 
to compare distance bounding protocols, where the comparison is based on 
two criteria and is no longer done asymptotically. So, for every protocol 
and for every (discretized) pair (m, d) of maha and distance fraud resistance 
values in [0,1]^, the technique computes the minimum number of rounds n 
needed to reach these values. For every pair {m,d), the best protocol is 
the one that requires the smallest value n. Figure 1 represents the result of 
the comparison applied to the Poulidor, HK, KA, and tree-based protocols 
in [33]. The 2D chart displays the best protocol (or one of the best protocols 
in case of equality) among the four considered ones for every possible value 
of mafia and distance fraud. For example, when {m,d) = (1,1), the best 
protocol is HK. 

The comparison methodology introduced by Trujillo-Rasua et al. is more 
advanced than the one suggested by Kim et al, but its usability remains 
limited. Indeed, Trujillo-Rasua et a/.’s methodology requires criteria that 
impact the objective function, which is minimizing the value n. For example, 
applying the methodology with the criteria “maha fraud resistance” and 
“presence of a hnal slow phase” is meaningless, given that the presence or 
not of a hnal slow phase does not depend on n. Another weakness - although 
the core of the methodology is not concerned - is the 2D representation of 
the result, which is inappropriate when considering more than two criteria. 

3. Methodology 

Multi-criteria decision-making actually consists in making a decision, 
namely selecting the best solution(s) in a set of possible solutions, when the 
evaluation of solutions depends on several criteria. For example, buying a car 
is a multi-criteria decision making problem, because price, size, horsepower, 
color, etc. are diherent criteria that inhuence the decision. Similarly, choos¬ 
ing a distance bounding protocol is a multi-criteria decision-making problem 
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Figure 1: A visual representation [33] of the comparison of Poulidor [33], the HK proto¬ 
col [24], the KA protocol [25], and the tree-based protocol using trees of depth 3 (Tree- 
3) [5], 


where several security and implementability criteria need to be considered. 
This section defines the relevant attributes that ought to be considered in dis¬ 
tance bounding protocols, together with the concepts of approximate equality, 
attribute spaces, dominant relation, and protocol instance. 

3.1. Attributes 

Decision criteria are built on atomic attributes that charaterize the op¬ 
tions available, namely the distance bounding protocols in our case. The 
most common attributes used in the literature to evaluate distance bounding 
protocols are related to security and implementability. These attributes are 
introduced below. 
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3.1.1. Security-related attributes. 

The security challenge aims to reduce the adversary’s probability to suc¬ 
cessfully perform a maha, distance, or terrorist fraud attack^. The three 
following attributes are consequently considered in this paper: 

• Mafia fraud resistance (pm)- Probability for an adversary to success¬ 
fully perform a maha fraud attack according to the Framework [1] al¬ 
ready mentioned in Section 1. 

• Distance fraud resistance (pd). Probability for an adversary to success¬ 
fully perform a distance fraud attack according to the Framework. 

• Terrorist fraud resistance (pt). Probability for an adversary to success¬ 
fully perform a terrorist fraud attack according to the Framework. 

Other security-related attributes are the number of rounds n and the 
size t of the messages exchanged during the fast phase. On the one hand, 
most distance bounding protocols can arbitrarily increase t while keeping 
n constant [2], which enhances their security. On the other hand, security 
can also be improved by simply increasing n. Both attributes are indeed 
related by the equation e = 2 ■ n ■ t, where e represents the number of bits 
exchanged during the fast phase. We therefore consider e to be a security- 
related attribute that encompasses both n and t. 

• Number of bits exchanged (e). Number of bits exchanged during the 
fast phase. 

3.1.2. Implementability-related attributes. 

When Hancke and Kuhn [24] proposed a simple and lightweight design 
of distance bounding protocol, the objective was to reduce the number of 
cryptographic operations to be performed by the prover, and to avoid the 
use of a hnal slow phase. Consequently, these two implementability-related 
attributes are considered in this paper. 

• Number of cryptographic operations performed by the prover (c). The 
number of cryptographic operations performed by the prover is consid¬ 
ered, because it provides a preliminary technology-independent evalu¬ 
ation of the computational cost of the protocols. 


"‘Another type of fraud, named distance hijacking, was recently introduced by Cremers, 
Rasmussen, Schmidt, and Capkun [16], but this fraud is usually disregarded in the analysis. 
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• Final slow phase (f). Presence (or not) of a final slow phase in the 
protocol. 

Later on, memory usage became a concern as well, because the prover in 
the tree-based protocol [5] pre-computes a tree whose size is exponential w.r.t. 
the number of rounds of the fast phase. Memory is consequently considered 
as an implementability-related attribute: 

• Memory used by the prover (s). Maximum size of the volatile memory 
that the prover needs in order to store the values used during the proto¬ 
col execution. Note that in practice, the actual size of the memory can 
be smaller because memory cells might be released and subsequently 
rehlled with other values during the execution of the protocol. Con¬ 
sidering the prover’s memory instead of the veriher’s memory is mo¬ 
tivated by the prevailing design of distance bounding protocols where 
the prover needs to pre-compute all the possible answers before the fast 
phase, whereas verifying the prover’s answers might not require heavy 
pre-computation and can be performed at the end of the protocol. 

Finally, the implementation complexity of a distance bounding protocol 
strongly depends on the technology considered. This makes it challenging to 
perform an objective evaluation with that respect. In particular, some proto¬ 
cols require channels that carry atomic symbols containing more than one bit 
of information. Although technologically feasible, this requirement is strong 
enough to be taken into account when comparing two protocols. In the same 
vein, some protocols use multiple-bit exchanges during the fast phase, while 
a conservative assumption since Desmedt et aids work [8] consists in consid¬ 
ering 1-bit messages. This clear distinction between those distance bounding 
protocols that use single-bit exchanges during the fast phase and those that 
use multiple-bit exchanges is captured by the following implementability- 
related attribute. 

• Multiple-bit exchange (b). A binary attribute stating the use (or not) 
of multiple-bit exchanges. 

3.2. Attribute spaces and (non)domination 

When solving decision-making problems, it is important to consider a 
notion of approximate equality on the domains of the attributes. To illustrate 
this, consider someone who wants to buy a second-hand car among cars that 
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differ on mileage and price only. When mileages are different but very close, 
they can be considered in the same mileage range, and only the price should 
lead the decision. 

In this section, we hrst provide the general terminology and notation, 
afterwards we dehne the attribute domain and approximate equality for every 
considered attribute. 

Definition 1 (Approximate equality). Let {D,<) be a totally ordered 
set. An approximate equality relation D x D is a relation satisfying, 
for all x,y,z E D, 


X X 

X ^ y y ^ X 

x^zAx<y<z X y A y ^ z. 

The first two properties state that approximate equality satishes reflexiv- 
ity and symmetry. The third property expresses that it is consistent with the 
total order on D. Notice that approximate equality is not an equivalence re¬ 
lation, because it doesn’t satisfy transitivity. The reason is that many small 
differences can add up to a large difference. 

Given a totally ordered set with approximate equality, we can dehne the 
relation -<: D x D by 

X -< y X < y A X '/' y. 

Similarly, we dehne x^yhyx-<y\/x^y and the symmetric cases 
X y and x y hj y -< x and y ^ x, respectively. Next, we extend these 
comparison operators to attribute spaces. 

Definition 2. Let I be an index set, then a family of ordered sets with ap¬ 
proximate equality {Di, <i, is called an attribute space. 

For an index set I = {!,...,n}, we simplify notation by stating that 
A = Di X ... X Dn is an attribute space and that its elements are of the form 
X = {xi,, Xn). We dehne the dominant relation -<: A x A for x, f/ G A by 

X -<y Vi e / {xi ^ y*) A 3i e / (x* -< yi). 

li X -< y, we say that x dominates y, otherwise, A x -/[ y, we say that y 
is nondominated by x. Similarly, given E C A and x E E, we say that x is 
nondominated in E if 

~Sy EE{y ^ x). 


13 



Given that we are considering eight different attributes, we next define a 
totally ordered set with approximate equality relation for the eight considered 
attributes: pm, Pd, Pt, e, c, s, f, and b. 

• {Di, <i, The attributes related to the three types of fraud 

are in the probability domain [0,1], i.e., Di = [0,1] for i G {Pm,Pd,Pt}■ 
In order to provide reasonable approximate equality relations for the 
three probability-based attributes, we consider that the adversary’s 
probability of success should be more refined as it approaches 0. There¬ 
fore, a security value x can be represented by the interval (|, 2x). The 
approximate equality relations are thus defined as follows. 

X 

Vi e {Pm,Pd,Pt}{x y 2 ^ ^ ^ 

The fact that this relation satisfies the three requirements from Defini¬ 
tion 1 follows from simple algebraic reasoning. 

• (A,<g Both the number of bits exchanged m the fast 

phase and the number of cryptographic operations (c) are in the domain 
of the natural numbers N. Their approximate equality relations and 
~e are simply the equality in N. 

• {Ds,<s 5 S ): Memory (s) is in the domain of the natural numbers N, 
and its approximate equality relation is defined by scaling from bits to 
kilobits. Defining in that way is a pragmatic approach based on 
experience in the field of contactless systems where any saving on a 
single kilobit is worthy. However, decision makers could use a different 
relation, based on, e.g., megabytes. Formally, is defined as follows. 

X y \x — y\ < 1024. 

• (0/.</ /): Presence of a final slow phase (/) is a nominal attribute 

in the Boolean domain. Protocols avoiding this phase are normally 
designed for low-cost devices [24]. We thus define both the total order 
and the approximate equality relations as follows. 

X <f y X = false Ay = true. 

X ^fy x = y. 
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• (Dfe, <ft, ~b): Use of a multiple-bit channel (6) is also in the Boolean 
domain. A single-bit exchange protocol can be easily improved by 
transforming it to a multiple-bit protocol [2], Consequently, we dehne 
the total order and the approximate equality relation as follows. 

X <b y X = false Ay = true. 

x = y. 


3.3. Solution 

The methodology introduced in this paper does not aim to identify the 
best protocol in a general way but, instead, to identify the set of nondomi- 
nated protocols. Intuitively, a nondominated protocol satishes that it is not 
possible to improve by moving away from it to another protocol without 
degrading the result w.r.t. at least one attribute. 

Providing a given protocol with attribute values typically requires one to 
specify values for protocol-specihc parameters, e.g., the number of rounds. 
We thus consider protocol instances, which are protocols for which all such 
parameters have been instantiated and whose attribute values can be unam¬ 
biguously determined. In order to not introduce additional notation, we sim¬ 
ply represent this one-to-many relation from protocols to protocol instances 
by means of identihers. In short, a protocol instance is a pair {PI,x) where 
PI is an identiher that uniquely identihes a full-specihcation of a protocol, 
and X E A provides the attribute values for the fully-specihed protocol PI. 
We recall that A = Dp^ x Dp^ x Dp^ xDeXDcXDgXDfXDbis the attribute 
space dehned in Section 3 over the index set I = {pm,PdjPt^ e, c, s, /, b}. 

Definition 3 (Solution). Given a set of protocol instances E, a solution in 
our methodology is the subset S P E of maximum cardinality such that for 
every {Px,x) G S there does not exist {Py,y) G E such that y -< x. We say, 
in this case, that {PI,x) is nondominated in E. 

We also say that a protocol instance {Px,x) dominates another proto¬ 
col instance {Py,y) if and only if x If x y, we say that {Py,y) is 

nondominated by {Px,x). 

To illustrate the nondominated relation between two protocol instances, 
we make use of spider charts [14]. Spider charts (also known under various 
other names, such as radar charts) are simple graphs that make it possible to 
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quickly compare the relative scores of a number of alternatives along various 
axes. An example of a spider chart is given in Figure 2. There we present two 
protocol instances: one corresponds to Brands and Chaum’s protocol [10] 
(labeled “BC-{16}”) when n = 16, and the other one to the tree-based 
protocol [5] (labeled “Tree-{16,8}”) with depth equal to 8 and n = 16. The 
axes related to the types of fraud are logarithmically scaled from 1 (chart 
center) to log 2 (^) (chart outer); the axes related to the Boolean attributes 
are graduated with true (chart center) and false (chart outer). Finally, the 
axes concerning memory size and number of cryptographic operations are 
graduated from 10 (chart center) to 0 (chart outer). In order to focus on the 
differences between the protocols, we will often only display the attribute 
axes for which the protocols have different values and the security-related 
attributes. Consequently, in the current example, we omitted the e and b 
axes. 


distance 



• Tree-based • BC 

Figure 2: Spider chart for the protocol instances BC-{16} and Tree-{16, 8}. 

A solution S', in the sense of Dehnition 3, can be seen as the set of relevant 
protocol instances a decision maker should focus on. A similar use can be 
given by distance bounding protocol designers, whose ultimately goal must 
be to include their protocols in S w.r.t. some set of criteria. The role of 
S is empirically illustrated in the next section where several state-of-the-art 
distance bounding protocols are evaluated and compared by applying our 
methodology. 
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4. Methodology applied to current protocols 

This section reports on the results obtained after applying our methodol¬ 
ogy to the protocols listed in Table 1. Instead of computing raw data to be 
served as input to a state-of-the-art decision making tool, the methodology 
has been implemented and published as an open source Java project^. The 
computer tool, based on Table 2, comprises the thirteen distance bounding 
protocols listed in Table 1 so as to generate protocol instances as dehned 
in Section 3. The decision to develop a computer tool is supported by the 
growing number of distance bounding protocols proposed and the continual 
rehnement of their security analysis [6, 1, 27]. Our tool therefore is aimed at 
facilitating the addition and modification of new protocols and criteria. 

4.1. Protocol instances 

Protocol instances are built by assigning values to protocol-specihc pa¬ 
rameters. In order to create a comprehensive set of protocol instances, we 
use ranges of values a bit wider than those considered in the literature. For 
instance, we consider protocols executing from 1 to 256 rounds during the 
fast phase, while in the literature this number varies from 16 to 64. Other 
security-related parameters, namely the size of nonces (J), secret keys {k), 
and cryptographic primitives (a), are considered to be large enough so that 
attacks based on, for example, short keys, are unfeasible. The remaining 
parameter values are detailed in Table 3. 

Once all parameter values are dehned, we use Table 2 to obtain all pro¬ 
tocol instances. This leads to a set E of 29184 protocol instances, which is 
used as input to our methodology. 

4 . 2 . Comparison 

Comparing is dehnitely a decision making task. Decisions ought to be 
made for the sake of providing meaningful results. Nevertheless, the com¬ 
parison problem differs from classical decision making problems in the role 
of the decision maker. The former problem should not rehect the point of 
view of the decision maker, but conciliate decisions and criteria based on a 
proper understanding of the problem and an exhaustive literature research. 


^The source code can be freely downloaded from https://gitliub.com/rolandotr/ 
db_comparison 
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Table 2: Formulas to compute the attribute values for every considered protocol. Refer¬ 
ences to the sources of the formulas are included when applicable. Additional notation is 
introduced below. 

• a\ size of signature, commitment, and MAC. 

• size of the random nonces. 

• t. depth of the tree in the tree-based approach [5]. 

• a: number of predehned challenges in KA [26]. 

• p/: probability of occurrence of a void-challenge in MP [28]. 

• t\ size of the messages exchanged in the fast phase. 


Protocols 

Pm 

Pd 

Pt 

/ 

b 

c 

s 

BC 

{IT [10] 

TT [10] 

1 

Y 

Y 

2 

2n + 3a 

BB 

(i)” [11] 

(i)” [11] 

1[4] 

Y 

Y 

4 

3n + 5 

MAD 

(1)^ [13] 

(i)" |131 

1 

Y 

Y 

4 

2n + 26 + 5a 

HK 

(!)” [24] 

(1)" 133] 

1 

N 

Y 

1 

3n + 26 

MP 

cf. [1] 

Cf. [1] 

1 

Y 

Y 

2 

4n + 26 + a 

Swiss-Knife 

(1)" [27] 

(!)” [27] 

(!)” [27] 

Y 

Y 

2 

3n -b 35 -b 2a 

Tree-based 

((A (1 + 1))'*' 

cf. [33] 

1 

N 

Y 

1 

(2'+i - 1) L=J + 

26 + 12 

Poulidor 

cf. [33] 

cf. [33] 

1 

N 

Y 

1 

5n -b 25 

RC 

(1)" [29] 

(1)” [29] 

1 

Y 

N 

3 

25 + 2ct 

YKHL 

cf. [3] 

(i)" 

1 

N 

Y 

1 

5n -b 25 

KA 

cf. [26] 

(!)”■“ [26] 

1 

N 

Y 

1 

4n -b 25 

SKI 

I9| 

< (!)” PI 

(¥)” [9] 

N 

N 

1 

n(t -b l)-b 

25 + 2ct 

TMA 

cf. [31] 

cf. [31] 

1 

N 

N 

1 

4n -b 25 
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Table 3: Parameter values for the considered protocols. For the KA protocol we use the 
parameter pd instead of a given that a = \pd x nj [26] . 


Protocol 

Identifier 

Parameter values 

BC 

BC-{n} 

n G {I,--- ,256} 

MAD 

MAD-{u} 

n G {I,--- ,256} 

BB 

BB-{u} 

n G {I,--- ,256} 

HK 

HK-{u} 

n G {I,--- ,256} 

MB 

MP-{n,p/} 

n G {I,--- ,256} 

Pf G {0,0.05,0.01,-- - ,1} 

Swiss-Knife 

Swiss-Knife-jn} 

n G {I,-- - ,256} 

Tree-based 

Tree-{n, i} 

n G {I,-- - ,256} 
£g{1,2,---,32} 

Poulidor 

Poulidor-{n} 

n G {I,--- ,256} 

RC 

RC-{n} 

n G {I,--- ,256} 

YKHL 

YKHL-{n} 

n G {I,--- ,256} 

KA 

KA-{n,prf} 

n G {I,--- ,256} 

Pd e {0,0.05, O.Ol,-- - ,1} 

SKI 

SKl-{n,t} 

n G (I,--- ,256} 
fG{2,3,---,32} 

TMA 

TMA-{n} 

n G (I,--- ,256} 


Along this article we have made a couple of decisions already. For in¬ 
stance, distance bounding protocols that fail on achieving any sort of au¬ 
thentication were discarded in Section 2. Section 3 limits the number of 
considered attributes to 8 by choosing those frequently used in the litera¬ 
ture. And Section 4 dehnes a wide range of parameter values in order to 
generate a comprehensive set of protocol instances. We claim that all these 
decisions are consistent with the state-of-the-art in distance bounding and, 
therefore, keep our experiments as fair as possible. 

Our last decision concerns a security criterion: maha fraud resistance. 
All distance bounding protocols must resist to maha fraud to some extent. 
We thus consider different upper-bounds on the probability of success of an 
adversary mounting this type of fraud. More precisely, given the set E of 
29184 protocol instances dehned previously and a probability value y G [0,1], 
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we define the set E[y\ = {{PI,x) G E\y < Xp^}^ containing those protocols 
whose resistance to maha fraud is bounded by y. In what follows we do not 
longer consider the whole set E, but subsets E[y] for different values of y. 

To illustrate further the need of this decision let us consider a protocol 
that does nothing. Because this protocol requires no resource to be imple¬ 
mented, it would be nondominated even though it can be hardly considered 
a distance bounding protocol. Considering E[y] for some y < I instead of E, 
provides a quantihable security guarantee in terms of maha fraud that can 
only be provided by actual distance bounding protocols. Moreover, varying 
y allows us to see how the set of nondominated protocols evolves when y 
decreases. Table 4 shows such evolution considering y to range within the 
set {2-\ 2-1®, 2-32, 2-64^ 2 -®®, 2 -^^^}. 

According to Table 4, seven out of the thirteen considered protocols have 
at least one instance that is nondominated for some set E[y]. In this case, 
we say that these protocols are nondominated. The seven nondominated 
protocols are BC, KA, SKI, Swiss-Knife, TMA, Poulidor, and Tree-based. 
We intuitively explain this result as follows. 

• BC, BB, MAD, and RC, achieve the optimal security in terms of both 
maha and distance fraud (see Figures 4 and 5 in the Appendix). Con¬ 
sequently, none of them can be dominated by any of the remaining nine 
protocols. However, BC leaves out BB, MAD, and RC, from the set of 
nondominated protocols because it requires fewer calls to cryptographic 
functions. 

• Swiss-Knife and SKI are the only protocols that resist to terrorist fraud 
(see Figure 6 in the Appendix). They do not dominate each other as it 
is illustrated by the Spider Chart 3(b). Both are thus nondominated. 

• Tree-based, Poulidor, and TMA, are the best in terms of distance fraud 
(see Figure 5) among the protocols using single-bit exchanges and a 
single cryptographic operation. Because they do not dominate each 
other (see the Spider Chart 3(a)), the three are included in the set of 
nondominated protocols. 


® We recall that x is in the attribute space A = Dp^ x Dp^ x Dp^ xD^x x D^x D f x 
and Xi e Di for every i e {pm,PdjPt, e, c, s, f, b}. 
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Table 4: Nondominated protocol instances for different sets E\y\. Every security value p 
and memory value m has been scaled according to the equations and [to/1024J 

respectively. For the sake of compactness, this table only shows for each protocol the 
nondominated protocol instance (if any) with fewer bits exchanged during the fast phase. 
The total number of nondominate protocols is given in the last column. 


y 

Nondominated 
Prot. Instances 

n 

Pm 

Attribute values 

Pd Pt b 

c 

s 

/ 

total 


BC-{1} 

1 

2-1 

2-1 

20 

false 

2 

0Kb 

true 

256 


KA-{2, 0.5} 

2 

2-1 

2-0 

20 

false 

1 

0Kb 

false 

10 

9-1 

SKI-{3, 2} 

3 

2-1 

2-1 

2-0 

true 

1 

1Kb 

false 

254 

z 

SwissKnife-jl} 

1 

2-1 

2-0 

2-0 

false 

2 

1Kb 

true 

255 


TMA-{2} 

2 

2-1 

2-1 

20 

false 

1 

0Kb 

false 

1 


Tree-{2, 2} 

2 

2-1 

2-0 

20 

false 

1 

0Kb 

false 

400 


BC-{16} 

16 

2-16 

2-16 

20 

false 

2 

0Kb 

true 

241 


KA-{22, 0.55} 

22 

2-16 

2-4 

20 

false 

1 

0Kb 

false 

4 

9-16 

Poulidor-{23} 

23 

2-16 

2-® 

20 

false 

1 

0Kb 

false 

1 

Z 

SKI-{39, 2} 

39 

2-16 

2-16 

2-39 

true 

1 

0Kb 

false 

218 


SwissKnife-j 16} 

16 

2-16 

2-6 

2-6 

false 

2 

0Kb 

true 

241 


TMA-{27} 

27 

2-16 

2-16 

20 

false 

1 

0Kb 

false 

1 


Tree-{24, 6} 

24 

2-16 

2-10 

20 

false 

1 

0Kb 

false 

394 


BC-{32} 

32 

2-32 

2-32 

20 

false 

2 

0Kb 

true 

225 


KA-{37, 0.85} 

37 

2-32 

2-2 

20 

false 

1 

0Kb 

false 

2 

9-32 

Poulidor-{42} 

42 

2-32 

2-16 

20 

false 

1 

0Kb 

false 

1 

Z 

SKI-{78, 2} 

78 

2-32 

2-32 

2-78 

true 

1 

0Kb 

false 

179 


S wissKnife- { 32 } 

32 

2-32 

2-13 

2-13 

false 

2 

0Kb 

true 

225 


TMA-{53} 

53 

2-32 

2-32 

20 

false 

1 

0Kb 

false 

1 


Tree-{48, 6} 

48 

2-32 

2-21 

20 

false 

1 

1Kb 

false 

368 


BC-{64} 

64 

2-64 

2-64 

20 

false 

2 

0Kb 

true 

193 


KA-{73, 0.8} 

73 

2-64 

2-6 

20 

false 

1 

0Kb 

false 

4 

9-64 

Poulidor-{78} 

78 

2-64 

2-32 

20 

false 

1 

0Kb 

false 

1 

Z 

SKI-{155, 2} 

155 

2-64 

2-64 

2-155 

true 

1 

0Kb 

false 

102 


S wissKnife- { 64 } 

64 

2-64 

2-26 

2-26 

false 

2 

0Kb 

true 

193 


TMA-{106} 

106 

2-64 

2-64 

20 

false 

1 

0Kb 

false 

1 


Tree-{96, 6} 

96 

2-64 

2-43 

20 

false 

1 

2Kb 

false 

295 


BC-{96} 

96 

2-96 

2-96 

20 

false 

2 

0Kb 

true 

161 


KA-{113, 0.75} 

113 

2-96 

2-12 

20 

false 

1 

0Kb 

false 

5 

9-96 

Poulidor-{114} 

114 

2-96 

2-49 

20 

false 

1 

0Kb 

false 

1 

Z 

SKI-{232, 2} 

232 

2-96 

2-96 

2-232 

true 

1 

1Kb 

false 

25 


S wissKnife- { 96 } 

96 

2-96 

2-39 

2-39 

false 

2 

1Kb 

true 

161 


TMA-{158} 

158 

2-96 

2-96 

20 

false 

1 

0Kb 

false 

1 


Tree-} 144, 6} 

144 

2-96 

2-64 

20 

false 

1 

3Kb 

false 

223 


BC-{128} 

128 

2-128 

2-128 

20 

false 

2 

0Kb 

true 

129 


KA-{145, 0.8} 

145 

2-128 

2-12 

20 

false 

1 

0Kb 

false 

4 

9-128 

Poulidor-{148} 

148 

2-128 

2215 

20 

false 

1 

0Kb 

false 

1 

z 

SKI-{219, 3} 

219 

2-128 

2-90 

2-128 

true 

1 

1Kb 

false 

1 


S wissKnife- {128 } 

128 

2-128 

2-53 

2-53 

false 

2 

1Kb 

true 

129 


TMA-{210} 

210 

2-128 

2-128 

20 

false 

1 

1Kb 

false 

1 


Tree-} 160, 16} 

160 

2-128 

2-77 

20 

false 

1 

1280Kb 

false 

150 







distance fraud 



distance fraud 



memory 

# Poulidor # Tree-based # TMA 


crypto calls 

# SKI • Swiss-Knife 


(a) 


(b) 


Figure 3: Two spider charts showing nondominated protocol instances. Figure 3(a) consid¬ 
ers the protocol instances Tree-based-{128}, Poulidor-{128}, and TMA-{128}. Figure 3(b) 
considers the protocol instances Swiss-Knife-{128} and SKl-{64, 2}. All axes have been 
normalized with respect to an ideal protocol instance executing 128 rounds that takes the 
optimal value for each attribute. 


• KA does not perform well in terms of distance fraud (see Figure 5). 
However, its resistance to mafia fraud can be as good as the one pro¬ 
vided by the Tree-based protocol without demanding an exponential 
amount of memory (see Figure 4). Therefore, KA is also nondomi¬ 
nated. 

It is worth remarking that, according to Table 4, the set of nondominated 
protocols is rather stable with y. The only exception is Poulidor, that be¬ 
comes a member of the set of nondominated protocols for y < 2“^®. This 
behavior is likely to be due to the fact that the actual distance fraud re¬ 
sistance of the Poulidor protocol cannot be computed yet [33, 32], but an 
upper-bound only. 

5. Conclusion 

In this article, we have proposed a methodology to evaluate and compare 
distance bounding protocols. The methodology benehts from experiences in 
the decision making held, and dehnes the most relevant attributes that ought 
to be considered in terms of security and implementability. An open-source 
computer software implementing our methodology has been released, which 
supported the evaluation and comparison of thirteen state-of-the-art distance 
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bounding protocols. Among the evaluated protocols, only seven are relevant 
(nondominated) in terms of the considered criteria, namely resistance to 
maha, distance, and terrorist fraud, number of cryptographic operations, 
memory, presence of a hnal slow phase, and use of a multiple-bit channel. 
Clearly, most disqualihed protocols had an important role in the evolution 
of distance bounding protocols, but they are obsolete today. Future designs 
of distance bounding protocols must, therefore, prove to be nondominanted 
with respect to a set of relevant criteria. Our results also show that the 
asymptotic analysis of distance bounding protocols, as done commonly in 
the literature, is inadequate and misleading. Finally, a clear side effect of 
our methodology is that it can be used for ad-hoc decision making where the 
decision maker is free to prioritize some attributes over others. 
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Appendix 

Figures 4, 5, and 6, depict the resistance of each protocol to maha, dis¬ 
tance, and terrorist fraud respectively. The attribute value for each fraud 
come from the protocol instance that minimizes it. For example, given 
e = 32, the resistance to maha fraud of the KA protocol is taken from the 
protocol instance KA-{32,1}. On the contrary, its distance fraud resistance 
considering again e = 32 is taken from the protocol instance KA-{32, 0}. 



Figure 4: Mafia fraud resistance of the considered protocols for e G {32, 64, • • • , 258}. 
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